0

I'm writing a program to practice some reverse engineering techniques. Here are the relevant lines of x86 (Intel) assembly code:

mov, eax [ebp - 20]
cdq
idiv ecx

Through my input (a network socket) I can control the bytes that go into eax and ecx before these lines of assembly are executed.

My question is: what are the minimum values (positive or negative) that I can use in order to cause division overflow (where division overflow is NOT a "divide by zero" error but where a result is returned that is greater than 32-bits and, therefore, will not fit into eax (the return register).

Thank you in advance for your help!

jkovba
  • 1,229
  • 2
  • 11
  • 20
  • 1
    There is no such input, all results will fit. Actually maybe `-2^31 / -1` won't :) – Jester Oct 11 '16 at 16:58
  • @harold I think I'd like to define minimum as the smallest positive or negative value s.t. overflow occurs. As a complete false and contrived example: if 0xff/3 and 0xff/2 both caused overflow, I would consider 0xff/2 to be the minimum. – jkovba Oct 11 '16 at 17:01
  • @Jester I'll have to think about your suggestion there but division overflow can definitely happen when dividing a 64-bit quantity by a 32-bit quantity. This is not the case for multiplication though. – jkovba Oct 11 '16 at 17:03
  • Except this is a 32 bit division. Performed on a 64 bit sign-extended dividend, but still a 32 bit division in effect. – Jester Oct 11 '16 at 17:03

1 Answers1

6

Since your dividend is 32 bits and it is sign extended to 64 bits by the cdq the only way to get an overflow is due to the asymmetry of two's complement, namely that it can represent -2^31 but not +2^31. As such, you can do -2^31 / -1.

Jester
  • 56,577
  • 4
  • 81
  • 125
  • Ok, I was thinking it had to happen along one of those byte boundaries. Since the MSB is being used as the sign bit, when we count from 2^n -1 to 2^n, in the unsigned case we'd be fine but in the signed case we're inadvertently flipping the sign bit and this is where the overflow happens. You are exactly right, thanks a lot for your help! – jkovba Oct 11 '16 at 17:12
  • @jkovba Note that this calculation, because it doesn't fit into the destination operand, will generate a divide error exception. This is the same exception that's generated when dividing by 0. – Ross Ridge Oct 11 '16 at 18:37
  • @RossRidge That's exactly what I'm looking for! I'm using Python to send bytes over a socket and I'm looking to make a specific method crash by generating an exception by causing in 'idiv' instruction to overflow EAX. – jkovba Oct 11 '16 at 19:15